Securing Tomcat 8 – Part 2

Vulnerability: Clickjacking

How to check: 

Create a page that call the site in (should fail to display in the frame)

<title>Clickjack test page</title>
<p>Website is vulnerable to clickjacking if you can see it below!</p>


Create in $TOMCAT_BASE/lib/org/owasp/filters/ClickjackFilter.class

public class ClickjackFilter implements Filter

private String mode = “DENY”;

* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
* decide to implement) not to display this content in a frame. For details, please
* refer to
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
//If you have Tomcat 5 or 6, there is a known bug using this code. You must have the doFilter first:
chain.doFilter(request, response);
res.addHeader(“X-FRAME-OPTIONS”, mode );
//Otherwise use this:
//res.addHeader(“X-FRAME-OPTIONS”, mode );
//chain.doFilter(request, response);


public void destroy() {

public void init(FilterConfig filterConfig) {
String configMode = filterConfig.getInitParameter(“mode”);
if ( configMode != null ) {
mode = configMode;

Add to web.xml



Verification: In addition to <iframe> check above, can also verify that X-FRAME-OPTIONS cookie is present.

[root@localhost webapps]# telnet localhost 8180
Connected to localhost.
Escape character is ‘^]’.
GET http://localhost:8180/index.jsp HTTP/1.1

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=49A0FE6E28D5C04362CC830ECB4732F7; Path=/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6
Date: Thu, 10 Nov 2016 07:02:16 GMT
Server: MyServer


Connection closed by foreign host.



If using supported version of Tomcat, only need to set filter in web.xml without requiring to do all above



If the tomcat in use does not support it, will see below exception

09-Nov-2016 11:44:00.655 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.filterStart Exception starting filter httpHeaderSecurity
java.lang.ClassNotFoundException: org.apache.catalina.filters.HttpHeaderSecurityFilter
at java.lang.ClassLoader.loadClass(
at java.lang.ClassLoader.loadClass(


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s